Security researchers have identified a vulnerability in the Xpress server of the SAP point of sale terminal that allows a small computer, such as a Raspberry Pi not only to steal credit card data but also to change prices.
According to a blog post by researchers at ERPScan, several vulnerabilities in point of sale systems developed by SAP and Oracle were found that allowed hackers to not only to compromise customers’ data but gain unfettered control over the POS server.
SAP POS, a client-server point-of-sale system, is a part of the SAP for Retail solution portfolio, which serves 80 percent of the retailers in the Forbes Global 2000.
According to researchers, the system failed to make a several authorisation checks. To demonstrate the idea of attack vectors, researchers made a video of a proof-of-concept attack. The video demonstrates that using a £20 Raspberry Pi, a hacker can access the network where the POS terminal is located and install a malware designed to set a significant discount.
“Once you are in, you have unlimited control over the backend and front-end of the POS system, as the tool can upload a malicious configuration file on the SAP POS Xpress Server without any authentication procedure,” said the researchers.
“New parameters are limited by hackers’ imagination: they can set special price or discount, the time the discount is valid, the conditions under which it works – for example, when purchasing a specific product. In our case, we set up an incredible discount to a MacBook.”
Dmitry Chastuhin, one of the researchers who identified the vulnerabilities, said that broadly speaking, it’s not a problem of SAP.
“Many POS systems have similar architecture and thus same vulnerabilities. POS terminals used to be plagued with vulnerabilities as myriads of them were found and, unfortunately, exploited, so their security posture has improved significantly,” he said.
“On the other hand, banks must adhere to different compliance standards. So, the connections between POS workstation and the store server turn out to be the weakest link. They lack the basics of cyber-security – authorisation procedures and encryption, and nobody cares about it. So, once an attacker is in the network, he or she gains full control of the system.”
The vulnerabilities were reported to the vendor back in April 2017. SAP released the first patch in July according to its release schedule. However, when researchers looked at the fix, they found out that the newly implemented authorisation check could be bypassed by using another vulnerability.
Researchers notified the software maker about the failed patch on 15 August. Taking into account the criticality of the issues, SAP issued a patch in less than a week, on 18 August.
For full story, Please click here.